mailing list archives
Re: Update: Extending the FTP "ALG" vulnerability to any FTP client
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Wed, 15 Mar 2000 22:42:39 +1100
In some mail from Mikael Olsson, sie said:
Workarounds to this specific vulnerability
* Disable active FTP. Errrr, wait. The fix for the server side
vulnerability was to disable passive FTP.
Which specific vulnerability was this ?
And was it a vulnerability or a DoS problem ?
It was the "Multiple firewalls FTP server "PASV" vulnerability"
mentioned in my reference list. Basically does the same thing
- letting people connect to any port - but on FTP servers
instead. The official "fix" was "disable passive FTP". Well,
since the "fix" for this is "disable active FTP".. ... :-)
This is a different problem and can be fixed to remove the
vulnerability that exists. This particular problem exists
only because of people taking shortcuts to implement ftp
proxies by just looking at packets (personally, I'm one of
them and I hate it, and much prefer people to use ftp-gw).
So the upshot of this is with FW-1, you're screwed until you
get the relevant fixes in place for ftp. With any proxy
based solution, you should only allow passive FTP.